The path to most GRC requirements
Download as PPTX, PDF0 likes182 views
The document outlines a webinar by Rui Melo Biscaia from Watchful Software, focusing on governance, risk, and compliance (GRC) requirements. It emphasizes the importance of data classification for mitigating risks associated with data leaks and highlights the functionalities of RightsWatch software in ensuring compliance with various regulations such as PCI-DSS, HIPAA, ISO 27001, GDPR, and POPI. Additionally, it provides practical scenarios demonstrating how RightsWatch protects sensitive data and delivers audit trails.
The path to most GRC requirements
- 1. The path to most GRC requirements Rui Melo Biscaia Watchful Software
- 2. Some “house rules” on thisWebinar 7/20/2016 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 2 1 You are muted centrally. You don’t need to mute/unmute yourself 2 This webinar is being recorded. You’ll have access to it on-demand watchfulsoftware.com 3 The Q&A session will be at the end. You are welcomed to enter questions anytime, using the Questions feature in the GoToWebinar control panel Speaker Rui Melo Biscaia Director of Product Management & Strategic Accounts Watchful Software
- 3. “Rules ofThumb” 7/20/2016 © Copyright www.watchfulsoftware.com. 2015 All Rights Reserved. 3 Leaks 1 It’s not a matter of ‘if’, but ‘when’ 2 It’s not really about databases anymore 3 Hackers aren’t the greatest threat 4 This doesn’t have to keep happening
- 4. The path to most GRC requirements 7/20/2016 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 4 Data classification is the foundation of any successful information GRC initiative as it: 1 Limits Corporate Liability 2 Slashes risk of adverse reaction to the business from data leakage 3 Increases the competency of users
- 5. 1 Policy-Driven Data Classification & Labelling 2 Role-Based Access Control Policies 3 DynamicWatermarking andTagging 4 Unstructured DataVisibility & Monitoring 5 Complementing the Enterprise Security “Puzzle” RightsWATCH in a nutshell 7/20/2016 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 5
- 6. RightsWATCH GRC usage scenario Paul is an Information Security officer (ISO) that extracts a costumer BD Data is exported to an Excel Spreadsheet (PAN & PII incl.) Paul attaches the Excel Spreadsheet onto the new e-mail message As soon as the Excel Spreadsheet is attached to the e-mail, RightsWATCH automatically classifies and protects the file, without asking Paul for any decision or action on his part Paul mistypes the recipient e-mail address and clicks the “Send” button The email is prevented from being sent, because RightsWATCH recognizes that the e-mail address that Paul typed is wrong RightsWATCH informs Paul of the fact and allows him to correct the mistype so that the e-mail can be sent to the Risk & Compliance manager Risk & Compliance manager receives the e-mail RightsWATCH prevents the Risk & Compliance manager from saving the file onto Dropbox and/or from forwarding it to his personal Gmail account, by blocking him from doing so. He gets a notification on the reason why he is being prevented from doing it.
- 7. The path to most GRC requirements 7/20/2016 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 7 RightsWATCH helps meeting PCI-DSS as it: • Avoid Liability Risk due to Data Loss or Theft • Protect information exchanged with external partners • Protect information during transfer, storage and usage RightsWATCH helps meeting HIPPA as it: • Allows PHI to be automatically classified and protected • Provides a powerful policy engine that identifies PHI and takes actions to classify, apply protective markings and labels and decrease liability • Applies DRM to control access and usage over files that contain PHI • Delivers a comprehensive audit trail RightsWATCH helps meeting ISO 27001 as it: • Prevents inadvertent data loss, even when completely outside your network • Educates users on data sensitivity, while ensuring adherence to security policies • Implements a Multilevel Security Model that extends the Information Security management System • Ensures compliance with the requirements around the handling of sensitive data • Allows users to identify key data & make decisions about how it is stored, transmitted and used • Classifies and protects information which requires special handling
- 8. The path to most GRC requirements 7/20/2016 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 8 RightsWATCH helps meeting the GSC schema as it: • Can be supplied with a 'pre-made' security classification schema to ensure compliance that includes the security classifications and descriptors • Allows for easily adding extra descriptors, customized tool-tip texts for each classification, or custom-configured text labels for each security classification • Allows the “vanilla” classification schema to easily be modified to meet the specific needs of HMG Departments, Agencies, Local Authorities and Police Forces RightsWATCH helps meeting GDPR as it: Delivers a comprehensive audit trail allowing the documentation and trace of any authorized and unauthorized access to confidential data Labels and marks sensitive data to help identify information requiring special handling, allowing for easily adding extra descriptors, customized tooltip texts for each classification, or custom- configured text labels for each security classification Alerts users when sensitive data is leaving the organization to warn or prevent them from sending data outside of the organization Provids a content, context and metadata aware policy engine that identifies PII, takes action to classify the file according to policy, applies protective markings and labels to identify the information and decrease corporate liability RightsWATCH helps meeting PoPI as it: • Allows for personal information to be automatically classified and protected, whenever it is received, handled, or shared • Warns and blocks from sending an email or saving a file, if the action being undertaken goes against corporate policies or PoPI mandates • Brings a content, context and metadata aware policy engine that identifies personal information, to take action to classify the file according to policy, to apply protective markings and labels to identify the information and to decrease corporate liability • Provides a comprehensive audit trail POPI
- 9. Complementing the Enterprise Security “Puzzle” 7/20/2016 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 9
- 10. Q&A 7/20/2016 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 10 1 You are welcomed to enter questions, using the questions feature in the GoToWebinar control panel 2 Check out the “Resources” area on www.watchfulsoftware.com and watch, short, product walkthrough demonstrations of how RightsWATCH address a comprehensive set of use cases 3 E-mail info@watchfulsoftware.com to request a demo of RightsWATCH 4 This webinar was recorded.You’ll have access to it on- demand at www.watchfulsoftware.com
- 11. The path to most GRC requirements Rui Melo Biscaia Watchful Software
Editor's Notes
- #4: Remind them of the key things that we’ve all learned from the Snowden affair: If it happened to the NSA – arguably the most secure organization on the planet – it’s going to happen to you The real valuable information is the ‘distilled information’ that’s already been thought about, processed, and refined – things like executive reports, studies, intellectual property, sales forecasts, project proposals, etc. This stuff is at greatest risk by the people that touch it every day, and can either a) make an honest mistake, b) do something stupid, or c) take a malicious action The only thing that allows this to keep happening is OLD THINKING; the audience needs to use NEW TECHNOLOGY to break away from their OLD APPROACH
- #5: Organizations deal with increasing Governance, Risk and Compliance (GRC) requirements. At the heart of these GRC mandates lies the need to identify, classify and label sensitive information. RightsWATCH can classify data in accordance with your information classification mandate RightsWATCH dynamically classifies all type of information (email, documents, reports, worksheets, etc.) in accord with your organization’s predefined policies and standards. Once classified, that information can receive any markings, disclaimers, etc. that are required by statutory, regulatory, or contractual obligations. This can be done without the common user even needing to know what the policies are, much less remembering to implement them. The result is that the organization remains compliant, avoids breach and limits liability. RightsWATCH remembers, implements, and supports your company’s security requirements…even if all of the users don’t.
- #6: Watchful Software RightsWATCH digitizes your corporate classification and labeling policies to automate the process. If your policy allows, we can allow your users to override the automatic classification. RightsWATCH streamlines and simplifies the user experience. There is no impact on the end user. Unlike our competitors, there is no user input required, no time-consuming pop-up questions to answer and no judgement calls. RightsWATCH shows the user why an asset is being classified or labeled allowing him to modify the data before finalizing it. RightsWATCH automation of your policies makes your existing security infrastructure work better and faster improving compliance throughout your organization. RightsWATCH is used by a wide variety of leading companies globally. You should be using RightsWatch too.
- #7: Paul Brown, the Information Security Officer (ISO) of a financial institution in Johannesburg, is requested to make the bank’s costumer database available to John Smith, who is the headquarters’ Risk & Compliance manager. He exports the data to an Excel Spreadsheet. As the exported file comes out of the database, Paul saves it onto his desktop. The file includes PAN (Primary Account Numbers) and other PII (Personally Identifiable Information). Paul then clicks on the “New e-mail” button on MS Outlook. Next, Paul browses his desktop to attach that very same Excel Spreadsheet onto the new e-mail message. As soon as the Excel Spreadsheet is attached to the e-mail, RightsWATCH automatically classifies and RMS protects the file, without asking Paul for any decision or action on his part. RightsWATCH automatically classifies and protects this sensitive Excel Spreadsheet, according to the policy rules set up by Paul’s company. Paul then types in John’s e-mail address, but he mistypes the e-mail address and clicks on the “Send” button. Without RightsWATCH, nothing happens and the e-mail will be sent to the wrong recipient. With RightsWATCH, the email is prevented from being sent, because RightsWATCH recognises that the e-mail address that Paul typed is wrong and the recipient is not the allowed and intended recipient of the e-mail. At the same, RightsWATCH informs Paul of the fact and allows him to correct the mistype so that the e-mail can be sent to John. John receives the e-mail and opens the attached Excel Spreadsheet. He then tries to save the file onto his personal Dropbox folder, so that he can work on the file at home. RightsWATCH prevents John from saving the file onto Dropbox, by blocking him from doing so. He gets a notification on the reason why he is being prevented from doing it. He then tries to forward the email he got from Paul to his personal Gmail account. RightsWATCH prevents him from doing that also. John realizes that corporate policy dictates that sensitive files are not to be saved and shared via cloud-based drives nor are e-mails, holding corporate classified information, to be forwarded to personal e-mail accounts.
- #8: The PCI-DSS is a set of comprehensive requirements for enhancing payment account data security. to help organizations that process card payments prevent credit card fraud through increased controls around data. RightsWATCH ensures that PHI is only handled by the proper, intended users, and reduces potential liability: With RightsWATCH, a physician dealing with a patient can use email to transmit information from patient healthcare records to other appropriate parties without leading to trouble. In the same manner, a hospital might retrieve patient records from an archive and send them to an insurer as an encrypted, rights-managed document in compliance with HIPAA. To comply with ISO 27001, organizations must plan, establish, maintain, and improve an ISMS policy that includes objectives, processes, and procedures to manage risk and improve information security, including the use of classification and labeling.
- #9: RightsWATCH is uniquely capable of providing a seamless changeover to the new GSC schema as it: Can be supplied with a 'pre-made' security classification schema to ensure compliance that includes the security classifications and descriptors Allows for easily adding extra descriptors, customized tool-tip texts for each classification, or custom-configured text labels for each security classification Allows the “vanilla” classification schema to easily be modified to meet the specific needs of HMG Departments, Agencies, Local Authorities and Police Forces